summaryrefslogtreecommitdiff
path: root/source4/setup
diff options
context:
space:
mode:
Diffstat (limited to 'source4/setup')
-rw-r--r--source4/setup/cn=samba-admin.ldif12
-rw-r--r--source4/setup/cn=samba.ldif11
-rwxr-xr-xsource4/setup/provision4
-rwxr-xr-xsource4/setup/provision-backend6
-rw-r--r--source4/setup/secrets_init.ldif2
-rw-r--r--source4/setup/secrets_sasl_ldap.ldif9
-rw-r--r--source4/setup/secrets_simple_ldap.ldif6
-rw-r--r--source4/setup/slapd.conf39
8 files changed, 75 insertions, 14 deletions
diff --git a/source4/setup/cn=samba-admin.ldif b/source4/setup/cn=samba-admin.ldif
new file mode 100644
index 0000000000..c59ffd9ab6
--- /dev/null
+++ b/source4/setup/cn=samba-admin.ldif
@@ -0,0 +1,12 @@
+dn: cn=samba-admin
+objectClass: top
+objectClass: person
+cn: samba-admin
+userPassword:: ${LDAPADMINPASS_B64}
+structuralObjectClass: person
+entryUUID: ${UUID}
+creatorsName:
+createTimestamp: ${LDAPTIME}
+entryCSN: 20080714010529.241038Z#000000#000#000000
+modifiersName:
+modifyTimestamp: ${LDAPTIME}
diff --git a/source4/setup/cn=samba.ldif b/source4/setup/cn=samba.ldif
new file mode 100644
index 0000000000..3be6242fe3
--- /dev/null
+++ b/source4/setup/cn=samba.ldif
@@ -0,0 +1,11 @@
+dn: cn=Samba
+objectClass: top
+objectClass: container
+cn: Samba
+structuralObjectClass: container
+entryUUID: b1d4823a-e58c-102c-9f74-51b6d59a1b68
+creatorsName:
+createTimestamp: 20080714010529Z
+entryCSN: 20080714010529.194412Z#000000#000#000000
+modifiersName:
+modifyTimestamp: 20080714010529Z
diff --git a/source4/setup/provision b/source4/setup/provision
index c1d6cd157a..7bd61fc1d8 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -30,7 +30,7 @@ import os, sys
sys.path.insert(0, "bin/python")
import samba
-
+from samba.credentials import DONT_USE_KERBEROS
from samba.auth import system_session
import samba.getopt as options
from samba import param
@@ -131,6 +131,8 @@ else:
creds = credopts.get_credentials(lp)
+creds.set_kerberos_state(DONT_USE_KERBEROS)
+
setup_dir = opts.setupdir
if setup_dir is None:
setup_dir = "setup"
diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend
index 54dc5839bf..845dc8679a 100755
--- a/source4/setup/provision-backend
+++ b/source4/setup/provision-backend
@@ -49,8 +49,8 @@ parser.add_option("--domain", type="string", metavar="DOMAIN",
help="set domain")
parser.add_option("--host-name", type="string", metavar="HOSTNAME",
help="set hostname")
-parser.add_option("--ldap-manager-pass", type="string", metavar="PASSWORD",
- help="choose LDAP manager password (otherwise random)")
+parser.add_option("--ldap-admin-pass", type="string", metavar="PASSWORD",
+ help="choose LDAP admin password (otherwise random)")
parser.add_option("--root", type="string", metavar="USERNAME",
help="choose 'root' unix username")
parser.add_option("--quiet", help="Be quiet", action="store_true")
@@ -96,7 +96,7 @@ if setup_dir is None:
provision_backend(setup_dir=setup_dir, message=message, smbconf=smbconf, targetdir=opts.targetdir,
realm=opts.realm, domain=opts.domain,
hostname=opts.host_name,
- adminpass=opts.ldap_manager_pass,
+ adminpass=opts.ldap_admin_pass,
root=opts.root, serverrole=server_role,
ldap_backend_type=opts.ldap_backend_type,
ldap_backend_port=opts.ldap_backend_port)
diff --git a/source4/setup/secrets_init.ldif b/source4/setup/secrets_init.ldif
index 9eda47e463..eb423a5122 100644
--- a/source4/setup/secrets_init.ldif
+++ b/source4/setup/secrets_init.ldif
@@ -11,5 +11,5 @@ sAMAccountName: CASE_INSENSITIVE
#Add modules to the list to activate them by default
#beware often order is important
dn: @MODULES
-@LIST: update_keytab,operational,objectguid
+@LIST: update_keytab,operational,objectguid,rdn_name
diff --git a/source4/setup/secrets_sasl_ldap.ldif b/source4/setup/secrets_sasl_ldap.ldif
new file mode 100644
index 0000000000..81ccfee209
--- /dev/null
+++ b/source4/setup/secrets_sasl_ldap.ldif
@@ -0,0 +1,9 @@
+dn: CN=SAMDB Credentials
+objectClass: top
+objectClass: ldapSecret
+cn: SAMDB Credentials
+secret:: ${LDAPADMINPASS_B64}
+samAccountName: ${LDAPADMINUSER}
+realm: ${LDAPADMINREALM}
+
+
diff --git a/source4/setup/secrets_simple_ldap.ldif b/source4/setup/secrets_simple_ldap.ldif
new file mode 100644
index 0000000000..3f5ccd2df1
--- /dev/null
+++ b/source4/setup/secrets_simple_ldap.ldif
@@ -0,0 +1,6 @@
+dn: CN=SAMDB Credentials
+objectClass: top
+objectClass: ldapSecret
+cn: SAMDB Credentials
+secret:: ${LDAPMANAGERPASS_B64}
+ldapBindDn: ${LDAPMANAGERDN}
diff --git a/source4/setup/slapd.conf b/source4/setup/slapd.conf
index 15b9d3104e..b1ce6f6492 100644
--- a/source4/setup/slapd.conf
+++ b/source4/setup/slapd.conf
@@ -5,17 +5,36 @@ include ${LDAPDIR}/backend-schema.schema
pidfile ${LDAPDIR}/slapd.pid
argsfile ${LDAPDIR}/slapd.args
sasl-realm ${DNSDOMAIN}
-access to * by * write
-allow update_anon
+#authz-regexp
+# uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
+# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
-authz-regexp
- uid=([^,]*),cn=${DNSDOMAIN},cn=digest-md5,cn=auth
- ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+#authz-regexp
+# uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
+# ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
authz-regexp
uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
- ldap:///${DOMAINDN}??sub?(samAccountName=\$1)
+ ldap:///cn=samba??one?(cn=\$1)
+
+authz-regexp
+ uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
+ ldap:///cn=samba??one?(cn=\$1)
+
+access to dn.base=""
+ by dn=cn=samba-admin,cn=samba manage
+ by anonymous read
+ by * read
+
+access to dn.subtree="cn=samba"
+ by anonymous auth
+
+access to dn.subtree="${DOMAINDN}"
+ by dn=cn=samba-admin,cn=samba manage
+ by * read
+
+password-hash {CLEARTEXT}
include ${LDAPDIR}/modules.conf
@@ -23,6 +42,11 @@ defaultsearchbase ${DOMAINDN}
${MEMBEROF_CONFIG}
+database ldif
+suffix cn=Samba
+directory ${LDAPDIR}/db/samba
+
+
database hdb
suffix ${SCHEMADN}
directory ${LDAPDIR}/db/schema
@@ -78,9 +102,6 @@ index dnsRoot eq
index nETBIOSName eq
index cn eq
-rootdn ${LDAPMANAGERDN}
-rootpw ${LDAPMANAGERPASS}
-
#syncprov is stable in OpenLDAP 2.3, and available in 2.2.
#We only need this for the contextCSN attribute anyway....
overlay syncprov